b'Audit of the SEC\xe2\x80\x99s Physical Security Program\n\n\n\n\n                                        August 1, 2014\n                                        Report No. 523\n\x0c                                           UNITED STATES\n                            SECURITIES AND EXCHANGE COMMISSION\n                                       WASHINGTON, D.C. 20549\n    OFFICE OF\nINSPECTOR GENERAL\n\n\n\n\n                                      MEMORANDUM\n\n                                          August 1, 2014\n\nTo:           Jeffery Heslop, Chief Operating Officer, Office of the Chief Operating Officer\n\nFrom:         Carl W. Hoecker, Inspector General, Office of Inspector General\n\nSubject:      Audit of the SEC\xe2\x80\x99s Physical Security Program, Report No. 523\n\nAttached is the Office of Inspector General\xe2\x80\x99s (OIG) final report detailing the results of our audit\nof the U.S. Securities and Exchange Commission\xe2\x80\x99s (SEC) physical security program. The\nreport contains nine recommendations for corrective action that, if fully implemented, should\nstrengthen the SEC\xe2\x80\x99s physical security controls.\n\nOn July 7, 2014, we provided agency management with a draft of our report for review and\ncomment. In the July 30, 2014, response, management fully concurred with eight of our nine\nrecommendations and partially concurred with the remaining recommendation. As a result of\nmanagement\xe2\x80\x99s response, we revised Recommendations 6 and 8. Management\xe2\x80\x99s complete\nresponse is reprinted as Appendix VII in the final report.\n\nWithin the next 45 days, please provide the OIG with a written corrective action plan that\naddresses the recommendations. The corrective action plan should include information such\nas the responsible official/point of contact, timeframe for completing required actions, and\nmilestones identifying how your office will address the recommendations.\n\nWe appreciate the courtesies and cooperation extended to us during the review. If you have\nquestions, please contact me or Rebecca L. Sharek, Deputy Inspector General for Audits,\nEvaluations, and Special Projects.\n\nAttachment\n\n\ncc:     Mary Jo White, Chair\n        Erica Y. Williams, Deputy Chief of Staff, Office of the Chair\n        Luis A. Aguilar, Commissioner\n        Paul Gumagay, Counsel, Office of Commissioner Aguilar\n        Daniel M. Gallagher, Commissioner\n        Benjamin Brown, Counsel, Office of Commissioner Gallagher\n        Michael S. Piwowar, Commissioner\n        Mark Uyeda, Counsel, Office of Commissioner Piwowar\n        Kara M. Stein, Commissioner\n        Robert Peak, Advisor to the Commissioner, Office of Commissioner Stein\n\x0cAnne K. Small, General Counsel, Office of the General Counsel\nTimothy Henseler, Director, Office of Legislative and Intergovernmental Affairs\nJohn J. Nester, Director, Office of Public Affairs\nBarry Walters, Director/Chief FOIA Officer, Office of Support Operations\nCedric Drawhorn, Assistant Director, Chief of Security Services, Office of Support\n   Operations\nCedric Watson, Branch Chief, Physical Security Operations, Office of Security Services,\n   Office of Support Operations\nThomas A. Bayer, Director, Office of Information Technology\nPamela C. Dyson, Deputy Director, Office of Information Technology\nTodd K. Scharf, Associate Director, Chief Information Security Officer, Office of\n   Information Technology\nVance Cathell, Director, Office of Acquisitions\nMichael Whisler, Assistant Director, Office of Acquisitions\nPaul Levenson, Regional Director, Boston Regional Office\nLynn Austin, Assistant Regional Director, Boston Regional Office\nAndrew M. Calamari, Regional Director, New York Regional Office\nRobert Keyes, Associate Regional Director, New York Regional Office\nJina L. Choi, Regional Director, San Francisco Regional Office\nDarlene L. Pryor, Management and Program Analyst, Office of the Chief\n   Operating Officer\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                               OFFICE OF INSPECTOR GENERAL\n\n\n\nExecutive Summary                                  Audit of the SEC\xe2\x80\x99s Physical Security Program\n                                                   Report No. 523\n                                                   August 1, 2014\n\nWhy We Did This Audit                          What We Found\nThe Government Accountability Office           We visited the SEC\xe2\x80\x99s headquarters, three of its regional offices,\nhas designated Federal real property           and its two data centers, and obtained information from personnel\nmanagement as a governmentwide high-           at the remaining SEC locations. From our observations and the\nrisk area due, in part, to the continued       information we obtained, we determined that improvements are\nchallenge of protecting Federal facilities.    needed in the SEC\xe2\x80\x99s physical security controls. Specifically, we\nAt the U.S. Securities and Exchange            identified vulnerabilities relating to\nCommission (SEC), the Office of\nSecurity Services (OSS) is responsible         \xe2\x80\xa2    the agency\xe2\x80\x99s facility risk assessments and facility security\nfor the physical security and safety of             plans;\nSEC staff and facilities at the agency\xe2\x80\x99s\n11 regional offices, 2 data centers, and       \xe2\x80\xa2    control of SEC-issued badges;\nheadquarters in Washington, D.C. In\n2011 and 2012, the Office of Inspector         \xe2\x80\xa2    some access-controlled doors; and\nGeneral (OIG) investigated physical\n                                               \xe2\x80\xa2    monitoring of the SEC\xe2\x80\x99s physical access control and intrusion\nsecurity violations, and recommended a\n                                                    detection systems.\nreview of the agency\xe2\x80\x99s physical security\nprogram. As a result, the OIG contracted       In addition, the SEC\xe2\x80\x99s security system contractor did not always\nwith Ollie Green & Company, CPA\xe2\x80\x99s, LLC         notify the OSS of alarm conditions. Finally, one of the SEC\xe2\x80\x99s\n(referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this report) to        data centers lacked sufficient security measures to prevent\nassess the SEC\xe2\x80\x99s policies, procedures,         unauthorized, undetected, and undocumented access to key\nand controls for safeguarding personnel        information technology assets.\nand preventing unauthorized access to\nthe agency\xe2\x80\x99s facilities.                       During the audit, management took action to address some of\n                                               the conditions we observed; however, the conditions occurred\nWhat We Recommended                            because the OSS did not adequately manage and administer\nTo provide reasonable assurance that the       the SEC\xe2\x80\x99s physical security program. Specifically, we found that\nSEC\xe2\x80\x99s policies, procedures, and controls\neffectively safeguard personnel and            \xe2\x80\xa2    the OSS did not establish effective policies and procedures to\nprevent unauthorized access to the                  address required Federal physical security standards;\nagency\xe2\x80\x99s facilities, we made nine\nrecommendations for corrective action.         \xe2\x80\xa2    the OSS did not ensure that physical security program internal\nThe recommendations address policies                controls were measured and tested;\nand procedures; risk assessments; facility\n                                               \xe2\x80\xa2    security specialists\xe2\x80\x99 competencies did not always match their\nsecurity plans; issuance of badges;\n                                                    assigned roles and responsibilities; and\naccess-controlled doors; contractor\nperformance; data center controls; and         \xe2\x80\xa2    the OSS outsourced security systems responsibilities to a\ntraining. Management concurred with                 contractor but did not provide sufficient oversight to monitor\neight of the recommendations and                    the contractor\xe2\x80\x99s performance.\npartially concurred with one\nrecommendation. The recommendations            The results of our audit indicate that action is required to establish\nwill be closed upon completion and             a comprehensive physical security program and that doing so will\nverification of appropriate corrective         reduce the risk to SEC personnel, facilities, and property.\naction. Because this report contains\nsensitive information about the SEC\xe2\x80\x99s\nphysical security program, we are not\nreleasing it publically.\n                                              For additional information, contact the Office of Inspector General at\n                                              (202) 551-6061 or www.sec.gov/about/offices/inspector_general.shtml.\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                             OFFICE OF INSPECTOR GENERAL\n\n\n    To Report Fraud, Waste, or Abuse, Please Contact:\n       Web:               www.reportlineweb.com/sec_oig\n\n       E-mail:            oig@sec.gov\n\n       Telephone:         (877) 442-0854\n\n       Fax:               (202) 772-9265\n\n       Address:           U.S. Securities and Exchange Commission\n                          Office of Inspector General\n                          100 F Street, N.E.\n                          Washington, DC 20549-2736\n\n\n    Comments and Suggestions\n       If you wish to comment on the quality or usefulness of this report or suggest ideas for\n       future audits, please contact Rebecca Sharek, Deputy Inspector General for Audits,\n       Evaluations, and Special Projects at sharekr@sec.gov or call (202) 551-6061.\n       Comments, suggestions, and requests can also be mailed to the attention of the\n       Deputy Inspector General for Audits, Evaluations, and Special Projects at the\n       address listed above.\n\n\n\n\n    REPORT NO. 523                                                               AUGUST 1, 2014\n\x0c'